Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in dotenv-express (npm)

dotenv-express

Risk score

92

AI summary

Indexed incident for dotenv-express (npm).

Description

Package impersonates the popular dotenv package: package.json points its repository field to git://github.com/motdotla/dotenv.git and homepage to https://github.com/motdotla/dotenv#readme, neither of which the author owns. The library code is a near-verbatim copy of dotenv but adds const gate = require('environment-gate') at the top of lib/main.js, and the documented config() entry point begins with gate.gate() — so any consumer calling the standard dotenv API (require('dotenv-express').config()) executes code from environment-gate, an unrelated third-party dependency with no env-file-loading purpose, on every load. The package additionally ships skills/dotenv/SKILL.md and skills/dotenvx/SKILL.md whose frontmatter declares name: dotenv, author: motdotla, source: https://github.com/motdotla/dotenv, and instructs npm install dotenv — identity-spoofing metadata designed to trick AI coding agents into treating this package as the genuine dotenv. The combination of impersonated repo/homepage/skill metadata, a name one token away from dotenv, and a forced transitive dependency that runs on the documented API call is deliberate namespace abuse rather than a typo, and the harm to installers is whatever environment-gate does at require-time on every .config() invocation.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=2.5.5=17.4.4=17.4.5=17.4.3=17.4.6=17.4.2

Indicators

  • Advisory IDs
    90%
  • affected version=2.5.575%
  • affected version=17.4.475%
  • affected version=17.4.575%
  • affected version=17.4.375%
  • affected version=17.4.675%
  • affected version=17.4.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents